Add validation header to webhooks

[Regrau]

This change will allow to verify the source of the POST request.
The idea is to have the same functionality as in githubs
guide on securing webhooks.

https://docs.github.com/en/developers/webhooks-and-events/webhooks/securing-your-webhooks

With this change there is an additional header that will be sent to the
webhooks targetUrl and that can then verify the authenticity of
the source.

This will require another change in the admin client. That is already prepared and I will submit a
pull request there to.

The idea was already discussed in issue #9942 but the implementation seemed to be left behind.

If there is need for any other changes please let me know.

Regards
Georg

[codecov]

Codecov Report

Merging #13980 (4885990) into main (0943daa) will increase coverage by 4.35%.
The diff coverage is 0.00%.

❗ Current head 4885990 differs from pull request most recent head 8642d05. Consider uploading reports for the commit 8642d05 to get more accurate results

@@            Coverage Diff             @@
##             main   #13980      +/-   ##
==========================================
+ Coverage   52.92%   57.27%   +4.35%     
==========================================
  Files        1379      580     -799     
  Lines       88124    47825   -40299     
  Branches     9918     4175    -5743     
==========================================
- Hits        46638    27392   -19246     
+ Misses      41435    20392   -21043     
+ Partials       51       41      -10     

Impacted Files	Coverage Δ
core/server/services/webhooks/trigger.js	0.00% <0.00%> (ø)
ghost/core/core/server/web/comments/routes.js
ghost/api-framework/lib/headers.js
...st/core/core/server/services/invitations/accept.js
ghost/admin/app/adapters/label.js
...t/core/core/server/services/themes/ThemeStorage.js
...erver/api/endpoints/utils/validators/input/tags.js
ghost/admin/app/controllers/setup/done.js
...mponents/settings/form-fields/publication-cover.js
...core/core/server/services/email-analytics/index.js
... and 1950 more

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

[hwlmatt]

Hey @Regrau, this is great.
What about adding the timestamp to the signature header so receiving endpoint can check against that as well?
Consider: Stripe webhooks: replay attacks

...
'X-Ghost-Signature': `sha256=${crypto.createHmac('sha256', secret)
                                    .update(reqPayload).digest('hex')},t=${Date.now()}`
...

[Regrau]

Hi @hwlmatt sounds reasonable so I added the timestamp.

@ErisDS Does this PR still need some work to be merged? If it's the tests I'd need a pointer to where they are located as I'm not quite sure where to start.

[ErisDS]

I'm so sorry, I thought I left a comment on this aaaaages ago.

Secret is optional, we shouldn't assume one is set, and the header shouldn't be added unless there is a secret set. The current PR adds the header no-matter what.

Tests would be nice, but not a deal-breaker here.

[Regrau]

No problem, happens to to the best of us. :)
At least I know it wasn't completely abandoned!

I'll look into it as soon as I have a bit of time on my hands.

[ErisDS]

The admin client is now back in this repo under ghost/admin so it should be much easier to get this change over the line now 😄

[Regrau]

Hi @ErisDS,
this is now soooo much more convenient than working with submodules, awesome!

Now the header will appear only when there is a secret set for the webhook like you suggested.
Please have a look, if there is something else that needs doing let me know.